fix: reset-pin

[grv-saini-20]

Description of change

Fixed reset pin

Issue Number

closes #408

Type of change

• New (a change which implements a new feature)
• Update (a change which updates existing functionality)

How the change has been tested

Manual

Change checklist

• I have ensured that the CI Checks pass locally
• I have removed any unnecessary logic
• My code is well documented
• I have signed my commits
• My code follows the pattern of the application
• I have self reviewed my code

Summary by CodeRabbit

• Bug Fixes

  • Improved PIN change flow with stronger input validation, mismatch checks, robust update handling, and clearer success/error feedback.

• Style

  • Adjusted follower/stat display formatting for clearer presentation.

• Chores

  • CI workflow and package resolution adjustments to stabilize builds and package handling.

[coderabbitai]

Warning

Rate limit exceeded

@coodos has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 22 minutes and 10 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 1b2a1be and 0219197.

📒 Files selected for processing (1)

• .github/workflows/build.yml (1 hunks)

Walkthrough

Adds context retrieval and onMount initialization in the PIN settings page; strengthens PIN change handler with input length validation, match checks, and try/catch around securityController.updatePin; reintroduces an effect to set the header title. Also adjusts a UI label's markup, pins React packages via pnpm overrides, and adds a CI workaround step plus Node 20 in the GitHub Actions build workflow.

Changes

Cohort / File(s)	Summary
PIN change handler enhancement infrastructure/eid-wallet/src/routes/(app)/settings/pin/+page.svelte	Added getContext and onMount imports; introduced `globalState: GlobalState
UI label formatting platforms/blabsy/src/components/user/user-follow-stats.tsx	Adjusted markup/formatting of follower/stat count label (wrapped conditional text in a multi-line <p>). No behavioral changes.
Package resolution overrides platforms/dreamSync/package.json	Added top-level pnpm.overrides pinning react, react-dom, @types/react, and @types/react-dom to exact versions. No dependency additions or script changes.
CI workflow and Rollup workaround .github/workflows/build.yml	Changed Node setup to 20.x, adjusted on: indentation, and added a workaround step to ensure the Rollup native binary is installed for the marketplace (removes node_modules/package-lock.json, runs npm ci in a specified working-directory) before the existing build step.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Form as PIN Form
    participant Validator as Input Validator
    participant Controller as Security Controller
    participant UI as UI State

    User->>Form: Submit (currentPin, newPin, repeatPin)
    Form->>Validator: Validate lengths (current, new, repeat)
    alt Validation fails
        Validator-->>Form: validation error
        Form->>UI: set isError = true
        UI-->>User: show validation feedback
    else Validation passes
        Validator-->>Form: OK
        Form->>Form: check newPin === repeatPin
        alt Mismatch
            Form->>UI: set isError = true
            UI-->>User: show mismatch error
        else Match
            Form->>Controller: updatePin(currentPin, newPin)
            alt Success
                Controller-->>Form: success
                Form->>UI: clear isError, show success Drawer
                UI-->>User: show success message
            else Failure
                Controller-->>Form: error
                Form->>UI: log error, set isError = true
                UI-->>User: show error feedback
            end
        end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Inspect globalState retrieval and ensure the getContext key/type matches the provider.
• Verify securityController.updatePin error modes and that the UI handles failures and drawer close correctly (see linked bug #408).
• Confirm input length rules match product/security requirements.
• Review the CI workaround step for side effects and ensure Node 20 change is intended.
• Check pnpm overrides for potential workspace resolution conflicts.

Suggested reviewers

• coodos
• xPathin

Poem

🐰 I hopped to check each pin with care,
digits counted in the evening air.
Try/catch cradle, drawer opens wide,
errors shrunk small, success steps inside.
A tiny rabbit cheers this tidy byte. 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	Changes to user-follow-stats formatting, package.json overrides, and workflow Node.js version updates appear unrelated to the PIN reset issue #408, suggesting potential scope creep.	Review and remove unrelated changes to user-follow-stats.tsx, package.json, and build.yml, or clarify their necessity in issue #408.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: reset-pin' directly addresses the main change: fixing the reset PIN functionality, which aligns with the primary objective.
Description check	✅ Passed	The description follows the template with all required sections: change description, issue number, type of change, testing method, and completed checklist.
Linked Issues check	✅ Passed	The changes comprehensively address issue #408: the PIN settings page now includes proper validation, error handling, and integration with the security controller to fix the non-functional reset PIN flow.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

infrastructure/eid-wallet/src/routes/(app)/settings/pin/+page.svelte (1)

62-62: Fix typo in user-facing text.

Line 62 contains a grammatical error: "Enter you current PIN" should be "Enter your current PIN".

-            <p class="mb-[1svh]">Enter you current PIN</p>
+            <p class="mb-[1svh]">Enter your current PIN</p>

🧹 Nitpick comments (4)

infrastructure/eid-wallet/src/routes/(app)/settings/pin/+page.svelte (4)

22-29: Consider adding numeric-only validation for PIN inputs.

The current validation only checks PIN length but doesn't verify that the inputs contain only numeric characters. While the InputPin component may handle this, explicit validation here would improve robustness and provide clearer error messages if non-numeric input is somehow entered.

Add numeric validation:

     const handleChangePIN = async () => {
+        const isNumeric = (pin: string) => /^\d+$/.test(pin);
+        
+        if (!isNumeric(currentPin) || !isNumeric(newPin) || !isNumeric(repeatPin)) {
+            errorMessage = "PIN must contain only numbers.";
+            return;
+        }
+
         if (
             newPin.length < 4 ||
             repeatPin.length < 4 ||
             currentPin.length < 4
         ) {

---

36-43: Add loading state to prevent duplicate submissions.

The async updatePin call has no loading indicator, allowing users to repeatedly click "Change PIN" during the operation. This could result in multiple concurrent update attempts.

Add a loading state:

+    let isLoading = $state(false);
...
     const handleChangePIN = async () => {
+        if (isLoading) return;
+        
         if (
             newPin.length < 4 ||
             repeatPin.length < 4 ||
             currentPin.length < 4
         ) {
             isError = true;
             return;
         }

         if (newPin !== repeatPin) {
             isError = true;
             return;
         }

         try {
+            isLoading = true;
             await globalState?.securityController.updatePin(currentPin, newPin);
             isError = false;
             showDrawer = true;
         } catch (err) {
             console.error("Failed to update PIN:", err);
             isError = true;
+        } finally {
+            isLoading = false;
         }
     };

Then disable the button during loading:

-    <ButtonAction class="w-full" callback={handleChangePIN}
+    <ButtonAction class="w-full" callback={handleChangePIN} disabled={isLoading}
         >Change PIN</ButtonAction
     >

---

46-49: Error clearing logic is overly specific and may not handle all cases.

The $effect clears isError only when repeatPin is exactly 4 characters and matches newPin. This doesn't clear errors when:

• The user corrects the currentPin length after an initial validation failure
• The user is entering a PIN longer than 4 characters and they match
• A previous error was from a failed updatePin call (server-side error)

If you implement the errorMessage approach suggested earlier, consider clearing the error message as users type, providing real-time feedback:

     $effect(() => {
         runtime.header.title = "Change PIN";
-        if (repeatPin.length === 4 && newPin === repeatPin) isError = false;
+        // Clear error when user fixes the validation issues
+        if (currentPin.length >= 4 && newPin.length >= 4 && repeatPin.length >= 4) {
+            if (newPin === repeatPin && errorMessage.includes("match")) {
+                errorMessage = "";
+            } else if (errorMessage.includes("at least 4 characters")) {
+                errorMessage = "";
+            }
+        }
     });

---

36-43: Consider clearing PIN fields after successful update.

After a successful PIN change, the input fields retain their values. If the user dismisses the success drawer, the old and new PINs remain visible in the form. For better security and UX, consider clearing all fields after a successful update.

         try {
             await globalState?.securityController.updatePin(currentPin, newPin);
             isError = false;
             showDrawer = true;
+            currentPin = "";
+            newPin = "";
+            repeatPin = "";
         } catch (err) {
             console.error("Failed to update PIN:", err);
             isError = true;
         }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ed2cf47 and 32673d6.

📒 Files selected for processing (1)

• infrastructure/eid-wallet/src/routes/(app)/settings/pin/+page.svelte (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: sosweetham
Repo: MetaState-Prototype-Project/prototype PR: 97
File: infrastructure/eid-wallet/src/lib/global/controllers/security.ts:86-93
Timestamp: 2025-04-24T06:00:34.296Z
Learning: Rate limiting for PIN verification is not part of the design requirements for the SecurityController in the eid-wallet application, and should not be suggested as an enhancement.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build